幾十年來，隨著科技快速蓬勃發展，不同型態的網路攻擊在世界各處爆炸性地蔓延開來。而在這之中，殭屍網路幾乎是最惡名昭彰且棘手的問題。偵測殭屍網路最大的困難點在於其多樣化且複雜的攻擊特徵：病毒常為了避免被輕易偵測而持續地演進自己的攻擊方式及特徵。因此以規則為基礎的殭屍網路偵測方式已較無法應付變化多端的攻擊型態。而另一方面，隨著更多嶄新的網路技術發明，殭屍網路造成的危害也更為嚴重。近幾年來，因物聯網技術快速進步，許多網路裝置都曾遭受殭屍網路的影響，連帶造成許多產業的巨大損失。因此殭屍網路的偵測一直都是資安領域中非常關鍵的話題。
在本篇論文中，我們提出了一項從封包中分析各項特徵來偵測潛在殭屍網路的方法。在一開始，我們取一段時間內的封包作為檢查樣本，並在此序列封包中取出流量特徵。接著藉由不同神經網路的分析，我們便得以偵測是否有殭屍網路的威脅，並將偵測到的殭屍網路加以歸類。

Over the decades, as the technology of Internet thrives rapidly, more and more kinds of cyber-attacks are blasting out around the world. Among them, botnet is one of the most noxious attacks which has always been challenging to overcome. The difficulties of botnet detection stem from the various forms of attack since the viruses keep evolving to avoid themselves from being found. Rule-based botnet detection has its shortcoming of detecting dynamically changing features. On the other hand, the more Internet functionalities are developed, the severer impacts botnets may cause. In recent years, many network devices have suffered from botnet attacks as the Internet of Things (IoT) technology prospers, which caused great damage in many industries. Consequently, botnet detection has always been a critical issue in computer security field.
In this paper, we introduce a method to detect potential botnets by inspecting the behaviours of network traffics from network packets. In the beginning, we sample the given packets by a period of time and extract the behavioural features from a series of packets. By analyzing these features with proposed deep learning models, we can detect the threat of botnets and classify them into different categories.

1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Background 4
2.1 Botnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.2 Botnet Architectures . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.2 Neural Network Structure . . . . . . . . . . . . . . . . . . . . 7
2.2.3 Activation Function . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.4 BackPropagation . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 RNN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4 LSTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Related works 12
3.1 Signature-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2 Anomaly-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.3 DNS-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.4 Mining-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Methodology 15
4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.3 Feature Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.4 Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5 Implementation 21
5.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.2 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.3 Packet Parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.4 Deep Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6 Evaluation 26
6.1 Evaluation method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6.2 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7 Conclusion 31
7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Bibliography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

[1] Shaojie Bai, J. Zico Kolter, and Vladlen Koltun. An empirical evaluation of
generic convolutional and recurrent networks for sequence modeling. CoRR,
abs/1803.01271, 2018.
[2] James R. Binkley and Suresh Singh. An algorithm for anomaly-based botnet
detection. In Proceedings of the 2Nd Conference on Steps to Reducing
Unwanted Traffic on the Internet. USENIX Association, 2006.
[3] Botnet topology. https://www.researchgate.net/figure/Typical-Clie
nt-Server-Botnet-Command-and-Control-Topology_fig1_266209917.
[4] H. Choi, H. Lee, H. Lee, and H. Kim. Botnet detection by monitoring group
activities in dns traffic. In 7th IEEE International Conference on Computer
and Information Technology, Oct 2007.
[5] Dynamic generation algorithms.
https://en.wikipedia.org/wiki/Domain_generation_algorithm.
[6] M. Feily, A. Shahrestani, and S. Ramadass. A survey of botnet and botnet
detection. In Third International Conference on Emerging Security
Information, Systems and Technologies, June 2009.
[7] S. García, M. Grill, J. Stiborek, and A. Zunino. An empirical comparison of
botnet detection methods. Comput. Secur., 45:100–123, September 2014.
[8] Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. Botminer:
Clustering analysis of network traffic for protocol- and structure-independent botnet
detection. In Proceedings of the 17th Conference on Security
Symposium, SS’08. USENIX Association, 2008.
[9] Sepp Hochreiter. The vanishing gradient problem during learning recurrent
neural nets and problem solutions. Int. J. Uncertain. Fuzziness Knowl.-Based
Syst., April 1998.
[10] Sepp Hochreiter and Jürgen Schmidhuber. Long short-term memory. Neural
Comput., November 1997.
[11] Sajad Homayoun, Marzieh Ahmadzadeh, Sattar Hashemi, Ali Dehghantanha,
and Raouf Khayami. BoTShark: A Deep Learning Approach for Botnet
Traffic Detection, pages 137–153. 01 2018.
[12] Behind the numbers: Growth in the internet of things (March 2015).
https://cdn.ihs.com/www/pdf/enabling-IOT.pdf.
[13] L. C. Jain and L. R. Medsker. Recurrent Neural Networks: Design and
Applications. CRC Press, Inc., Boca Raton, FL, USA, 1st edition, 1999.
[14] Anestis Karasaridis, Brian Rexroad, and David Hoeflin. Wide-scale botnet
detection and characterization. In Proceedings of the First Conference on
First Workshop on Hot Topics in Understanding Botnets. USENIX
Association, 2007.
[15] Wikipedia: Mirai. https://en.wikipedia.org/wiki/Mirai_(malware).
[16] Pysahrk. https://kiminewt.github.io/pyshark/.
[17] S. Siboni and A. Cohen. Botnet identification via universal anomaly
detection. In 2014 IEEE International Workshop on Information Forensics
and Security (WIFS), pages 101–106, Dec 2014.
[18] Smominru (Feb 2018). https:
//www.cyber.nj.gov/threat-profiles/botnet-variants/smominru.
[19] Snort (march 2016). https://www.snort.org/.
20] Wikipedia: Softmax function).
https://en.wikipedia.org/wiki/Softmax_function.
[21] Duc Tran, Hieu Mac, Van T Tong, Hai Anh Tran, and Linh Giang Nguyen. A
lstm based framework for handling multiclass imbalance in dga botnet
detection. Neurocomputing, 2018.
[22] Tshark. https://www.wireshark.org/docs/man-pages/tshark.html.
[23] R. Villamarin-Salomon and J. C. Brustoloni. Identifying botnets using
anomaly detection techniques applied to dns traffic. In 2008 5th IEEE
Consumer Communications and Networking Conference, pages 476–481, Jan
2008.
[24] Wei Wang, Ming Zhu, Xuewen Zeng, Xiaozhou Ye, and Yiqiang Shengand.
Malware traffic classification using convolutional neural network for
representation learning. In 2017 International Conference on Information
Networking, Jan 2017.
[25] J. Ziv and A. Lempel. Compression of individual sequences via variable-rate
coding. In 1978 IEEE Transactions on Information Theory, pages 530–536,
Sep 1978.